Obama’s Cybersecurity Executive Order Appears to Pose Little Risk to Citizens’ Privacy—For Now

Graphic from White House’s presentation of Obama’s “State of the Union”

President Barack Obama signed a major cybersecurity executive order hours before he delivered his State of the Union address. The order was highlighted in his address as he spoke about the current threat he believes the government faces from cyber-attacks.

…We know hackers steal people’s identities and infiltrate private e-mail. We know foreign countries and companies swipe our corporate secrets. Now our enemies are also seeking the ability to sabotage our power grid, our financial institutions, and our air traffic control systems. We cannot look back years from now and wonder why we did nothing in the face of real threats to our security and our economy.

That’s why, earlier today, I signed a new executive order that will strengthen our cyber defenses by increasing information sharing, and developing standards to protect our national security, our jobs, and our privacy. Now, Congress must act as well, by passing legislation to give our government a greater capacity to secure our networks and deter attacks… [emphasis added]

It was the only mention of privacy in the speech, but it appears to have been a welcome mention.

The executive order—which can be read here—appears to be not as bad as one might have expected. The American Civil Liberties Union (ACLU) described what he signed as an order that “seeks to protect Americans’ digital privacy when information-sharing occurs,” unlike legislation being re-introduced in the House of Representatives.

“The president’s executive order rightly focuses on cybersecurity solutions that don’t negatively impact civil liberties. For example, greasing the wheels of information sharing from the government to the private sector is a privacy-neutral way to distribute critical cyber information,” ACLU Legislative Counsel Michelle Richardson said. “More encouragingly, the adoption of Fair Information Practice Principles for internal information sharing demonstrates a commitment to tried-and-true privacy practices – like consent, transparency, minimization and use limitations. If new information sharing authorities are granted—especially the overbroad ones being pondered by the House—these principles will be more important than ever. We look forward to working with the administration to make sure that the devil isn’t in the details when privacy regulations are drafted.”

“Fair Information Practice Principles” are what is listed in the National Strategy for Trusted Identities in Cyberspace (NSTIC) released in April 2011 by the White House. For example, “transparency” is notifying “individuals regarding collection, use, dissemination and maintenance of personally identifiable information (PII). And it requires “purpose specification”—the specific articulation of the authority that permits the collection of PII when such information is collected and the purpose for which the PII will be used.

Therefore, the ACLU’s reaction seems reasonable, however, for the most part, no clear privacy or civil liberties “protections” are laid out in the executive order. It outlines a process between the Department of Homeland Security (DHS); specifically, the Chief Privacy Officer and the Officer for Civil Rights and Civil Liberties (CRCL). This is the same office that recently posted an executive summary from a completed impact assessment that concluded suspicionless border searches do not violate Americans’ civil liberties. So, how this Office “protects” citizens’ “privacy” while establishing this framework could be questionable.

Last year, opposition stopped Congress from passing the Cyber Intelligence Sharing and Protection Act (CISPA) because, as the Electronic Frontier Foundation argued, “It would eviscerate existing privacy laws by allowing companies to voluntarily share users’ private information with the government.” The CISPA bill allowed companies to hand any information they deemed to be “cyber threat information” over to a government agency, which could then provide that information to DHS. Once DHS obtained the information, it could be shared with intelligence agencies like the National Security Agency at the discretion of DHS for purposes deemed necessary.

Is there any likelihood that this could still happen under President Obama’s executive order?

The framework for information sharing seems to mostly encourage the sharing of government information with private entities that are involved in operating the nation’s critical infrastructure. As it says, “Within 150 days of the date of this order, the Secretary shall use a risk-based approach to identify critical infrastructure where a cybersecurity incident could reasonably result in catastrophic regional or national effects on public health or safety, economic security, or national security.” That suggests the government will be identifying targets that have been hit or could be hit and then they will be contacting representatives of those entities that are most vulnerable.

The order calls for the Secretary of Homeland Security to “coordinate establishment of a set of incentives designed to promote participation” in the critical infrastructure cybersecurity program. How private entities might “voluntarily” participate and what that participation would be like is not described.

In the section on “information sharing,” it outlines how the Attorney General, DHS secretary and Director of National intelligence will produce “unclassified reports of cyber threats to the US homeland that identify a specific targeted identity.” The reports will be provided to the “targeted entity.” It mentions the expansion of an “Enhanced Cybersecurity Services” program for “all critical infrastructure sectors.” This would be a “voluntary information sharing program” where “classified cyber threat and technical information from the Government” is provided to “eligible critical infrastructure companies or commercial service providers.” And it indicates that “private sector subject-matter experts” may be advising government agencies on what information would be useful for protection against cyber threats.

As it stands, the order does not appear to encourage the kind of arbitrary or free-flowing provision of citizens’ private information to government that was in the CISPA bill and opposed by many privacy advocates.

That does not mean that users’ privacy will not be threatened by this framework. The key will be what happens as government agencies, particularly intelligence agencies, work to solidify the framework in the order. The other key will be what legislation that White House decides to back in Congress. The executive order did call for legislation in addition to the framework.

If the White House compromises and accepts CISPA in return for private and public support for this executive order, it would mean citizens’ privacy would be greatly endangered.

Industry groups appear poised to back CISPA once again. The Internet Security Alliance, which counts representatives of General Electric, Verizon, Wells Fargo, and Boeing on its board, said after this evening’s announcement that it “strongly supports the reintroduction” of CISPA over the Democrats’ bill that takes a “traditional, top-down regulatory approach.”

As this order mostly invites industry to participate in a “top-down regulatory approach,” there may be some maneuverings that breathe new life into a push for a new version of CISPA or another CISPA-like bill.

Obama’s Cybersecurity Executive Order Appears to Pose Little Risk to Citizens’ Privacy—For Now

Graphic from White House’s presentation of Obama’s “State of the Union”

President Barack Obama signed a major cybersecurity executive order hours before he delivered his State of the Union address. The order was highlighted in his address as he spoke about the current threat he believes the government faces from cyber-attacks.

…We know hackers steal people’s identities and infiltrate private e-mail. We know foreign countries and companies swipe our corporate secrets. Now our enemies are also seeking the ability to sabotage our power grid, our financial institutions, and our air traffic control systems. We cannot look back years from now and wonder why we did nothing in the face of real threats to our security and our economy.

That’s why, earlier today, I signed a new executive order that will strengthen our cyber defenses by increasing information sharing, and developing standards to protect our national security, our jobs, and our privacy. Now, Congress must act as well, by passing legislation to give our government a greater capacity to secure our networks and deter attacks… [emphasis added]

It was the only mention of privacy in the speech, but it appears to have been a welcome mention.

The executive order—which can be read here—appears to be not as bad as one might have expected. The American Civil Liberties Union (ACLU) described what he signed as an order that “seeks to protect Americans’ digital privacy when information-sharing occurs,” unlike legislation being re-introduced in the House of Representatives.

“The president’s executive order rightly focuses on cybersecurity solutions that don’t negatively impact civil liberties. For example, greasing the wheels of information sharing from the government to the private sector is a privacy-neutral way to distribute critical cyber information,” ACLU Legislative Counsel Michelle Richardson said. “More encouragingly, the adoption of Fair Information Practice Principles for internal information sharing demonstrates a commitment to tried-and-true privacy practices – like consent, transparency, minimization and use limitations. If new information sharing authorities are granted—especially the overbroad ones being pondered by the House—these principles will be more important than ever. We look forward to working with the administration to make sure that the devil isn’t in the details when privacy regulations are drafted.”

“Fair Information Practice Principles” are what is listed in the National Strategy for Trusted Identities in Cyberspace (NSTIC) released in April 2011 by the White House. For example, “transparency” is notifying “individuals regarding collection, use, dissemination and maintenance of personally identifiable information (PII). And it requires “purpose specification”—the specific articulation of the authority that permits the collection of PII when such information is collected and the purpose for which the PII will be used.